Debian Security Advisory

DLA-385-2 isc-dhcp -- LTS security update

Date Reported:
19 Jan 2016
Affected Packages:
isc-dhcp
Vulnerable:
Yes
Security database references:
In Mitre's CVE dictionary: CVE-2015-8605.
More information:

With the previous upload of the isc-dhcp package to Debian Squeeze LTS two issues got introduced into LTS that are resolved by this upload.

  • (1)

    CVE-2015-8605 had only been resolved for the LDAP variant of the DHCP server package built from the isc-dhcp source package. With upload of version 4.1.1-P1-15+squeeze10, now all DHCP server variants (LDAP and non-LDAP alike) include the fix for CVE-2015-8605. Thanks to Ben Hutchings for spotting this inaccuracy.

  • (2)

    The amd64 binary build of the previously uploaded isc-dhcp version (4.1.1-P1-15+squeeze9) was flawed and searched for the dhcpd.conf configuration file at the wrong location [1,2,3]. This flaw in the amd64 build had been caused by a not-100%-pure-squeeze-lts build system on the maintainer's end. The amd64 build of version 4.1.1-P1-15+squeeze10 has been redone in a brand-new build environment and does not show the reported symptom(s) anymore.

    I deeply apologize for the experienced inconvenience to all who encountered this issue.

[1] https://bugs.debian.org/811097
[2] https://bugs.debian.org/811397
[3] https://bugs.debian.org/811402

For Debian 6 Squeeze, these issues have been fixed in isc-dhcp version 4.1.1-P1-15+squeeze10